The September Equifax data breach is by most accounts the most detrimental and damaging example of corporate hacking we’ve ever seen. While breaches like the one Yahoo experienced were larger in scale, the Equifax breach involved much more sensitive data – the most sensitive. But how exactly did this happen? Where did they go wrong?
Dan Goodin at Ars Technica found blatant flaws in the website Equifax setup just to see if someone was one of the 143 million people affected by the breach. So, we can only imagine what security features were in place (or missing) at the time of the breach.
What negligence steps on the part of Equifax, if any, helped this situation reach the level of a systemwide breach? What, if anything, could Equifax have done differently?
To answer these questions, we reached out to some of the leading security experts across the globe. Here is what they had to say:
1. Equifax Missed a Critical Vulnerability Window
While most security professionals and the public now understand that the Equifax breach was a legitimate hack – not a case of outright employee negligence, Equifax also should have seen it coming. According to Justin Shipe, Vice President of CardConnect, the credit bureau knew about the Apache Struts vulnerability as far back as March of 2017. That same vulnerability was used to hack into their systems in June 2017.
“The Apache Struts vulnerability was disclosed in March and used on Equifax in June,” says Shipe. “That’s two months. PCI dictates that critical patches get patched up within 30 days.”
The problem for Equifax came down to vulnerability management. Today’s criminals are aware of all kinds of vulnerabilities to a system’s firewalls, so vulnerability management should be the highest priority of all IT personnel. However, as Shipe points out, it often requires more than just a change of process.
“For many companies, this may need to be a cultural shift. Have those hard conversations on what is truly most important,” says Shipe.
While some companies need to just patch up a few security holes, others will need a complete security overhaul. Whether that means moving all data to a digital document management system on the cloud or hiring a brand new security team, it would require full buy-in from all parties involved.
2. Equifax Had Months to Detect & Respond to the Attack
According to Dave Burton, Vice President of Marketing for GaurdiCore, the Equifax breach was one of lateral movement and occurred over a 5-month period. “The attackers gained access to the data center through the original Apache exploit,” says Burton, “and then used various techniques to progressively spread through the network.”
As the hackers searched for the private information they were seeking, they were in the network for at least months, undetected. If they had been able to detect the breach in time, they could have saved their most critical assets from being corrupted. One way all companies can respond to progressive, or linear, breaches like this one is to segment their information across multiple servers – both virtual and physical.
3. Equifax Needed an IDS (Intrusion Detection System)
“A lack of security knowledge seems to be a big factor here,” says Adam Sbeta, Director of RCE IT Resource. “Executives should give power to risk assessment management [teams] and hire reputable third parties to audit their security policies.”
According to Sbeta, Equifax could have patched the vulnerability or received alerts through an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System). Both are built to detect network behavioral changes, so if a company has segmentation in place, they can kill a network connection where needed to avoid losing vital data.
“Now that most American’s data is out there in the wild forever, says Sbeta, “Any of the breached users can have their whole identity stolen and taken over. A little bit more of social engineering could have these attackers take over our lives.”
4. The Breach Was Just Too Big For Equifax to Handle
Similar to the Richter scale for earthquakes, breaches like the Equifax breach are measured on a scale from 0 to 10 (with 10 being the highest) according to the Common Vulnerability Scoring System, or CVSS.
The Apache Struts vulnerability was rated a 9 out of a 10, making it almost (if not completely) unmanageable for Equifax.
“Out of the 1 billion or so vulnerabilities Kenna was tracking, it showed up as 1 of about 250 million,” says Karim Toubba, CEO of Kenna Security. “Unfortunately, that’s completely unmanageable for a corporate IT security team to mitigate.”
This shows a very wide gap between ordinary, everyday vulnerabilities and the massive attack Equifax faced.
5. Hackers are Much Larger-Scale and High-Profile than We Know
The question is not whether your company is attacked by a cybercriminal. The question is, when? Or, what are you going to do about it? At least that is how Randy Battat, President and CEO of Preveil, sees it. According to Battat, the Equifax situation highlights more than ever the need for a plan that can counter central or multiple points of attack.
“Despite (most likely) tens of millions in annual security budget and hundreds of security analyst, even their system was compromised,” says Battat. “Which begs the question – why doesn’t every business assume their server can and will be hacked, and so design a system built for that new reality?”
While most organizations understand the importance of super users and firewalls, very few understand how to distribute those super users and the information they can access to avoid creating a centralized target for attack.
Whether a company is hacked from the outside or within, segmenting data this way will keep anyone from bringing an entire business down.
After serving global organizations large and small with sophisticated data encryption solutions, we believe erring on the side of caution is not just wise – it’s paramount. Security these days is about more than just safeguarding passwords and putting up firewalls. It’s about storing and sending information strategically. It’s also about knowing EXACTLY who has access to which files, when and where.
Our secure content delivery platform allows for strict user permissions and controls. You can decide exactly which files a given person has access to and restrict them from accessing more information than they require. You can also track which files were downloaded, saved, printed or viewed by IP address.
While most companies do not share such sensitive data as Equifax, we can all learn something about their breach. Protect your company, your consumers and your intellectual property with eServe.